FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
ba4f9b19-ed9d-11e4-9118-bcaec565249cwordpress -- cross-site scripting vulnerability

Gary Pendergast reports:

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnöne.


Discovery 2015-04-27
Entry 2015-05-07
Modified 2015-09-15
wordpress
< 4.2.1,1

de-wordpress
< 4.2.1

ja-wordpress
< 4.2.1

ru-wordpress
< 4.2.1

zh-wordpress-zh_CN
< 4.2.1

zh-wordpress-zh_TW
< 4.2.1

https://wordpress.org/news/2015/04/wordpress-4-2-1/
fb754341-c3e2-11e5-b5fe-002590263bf5wordpress -- XSS vulnerability

Aaron Jorbin reports:

WordPress 4.4.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4 and earlier are affected by a cross-site scripting vulnerability that could allow a site to be compromised. This was reported by Crtc4L.


Discovery 2016-01-06
Entry 2016-01-26
Modified 2016-03-08
wordpress
< 4.4.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.4.1

CVE-2016-1564
http://www.openwall.com/lists/oss-security/2016/01/08/3
https://wordpress.org/news/2016/01/wordpress-4-4-1-security-and-maintenance-release/
3686917b-164d-11e6-94fa-002590263bf5wordpress -- multiple vulnerabilities

Helen Hou-Sandi reports:

WordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players. MediaElement.js and Plupload have also released updates fixing these issues.


Discovery 2016-05-06
Entry 2016-05-10
wordpress
< 4.5.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.5.2

CVE-2016-4566
CVE-2016-4567
https://wordpress.org/news/2016/05/wordpress-4-5-2/
http://www.openwall.com/lists/oss-security/2016/05/07/7
a2589511-d6ba-11e7-88dd-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

Use a properly generated hash for the newbloguser key instead of a determinate substring.

Add escaping to the language attributes used on html elements.

Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.

Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.


Discovery 2017-11-29
Entry 2017-12-01
wordpress
fr-wordpress
< 4.9.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.9.1

https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
fef03980-e4c6-11e5-b2bd-002590263bf5wordpress -- multiple vulnerabilities

Samuel Sidler reports:

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.


Discovery 2016-02-02
Entry 2016-03-08
wordpress
< 4.4.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.4.2

CVE-2016-2221
CVE-2016-2222
http://www.openwall.com/lists/oss-security/2016/02/04/6
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
505904d3-ea95-11e4-beaf-bcaec565249cwordpress -- multiple vulnerabilities

Gary Pendergast reports:

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.

We also made four hardening changes, discovered by J.D. Grimes, Divyesh Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.


Discovery 2015-04-21
Entry 2015-04-24
Modified 2015-04-24
wordpress
< 4.1.2

de-wordpress
< 4.1.2

ja-wordpress
< 4.1.2

ru-wordpress
< 4.1.2

zh-wordpress-zh_CN
< 4.1.2

zh-wordpress-zh_TW
< 4.1.2

https://wordpress.org/news/2015/04/wordpress-4-1-2/
043d3a78-f245-4938-9bc7-3d0d35dd94bfwordpress -- multiple vulnerabilities

The wordpress development team reports:

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post "written by" another user.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website.

Additionally, we've adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.


Discovery 2013-09-11
Entry 2013-10-19
Modified 2014-04-30
zh-wordpress-zh_CN
< 3.6.1

zh-wordpress-zh_TW
< 3.6.1

de-wordpress
< 3.6.1

ja-wordpress
< 3.6.1

ru-wordpress
< 3.6.1

wordpress
< 3.6.1

CVE-2013-4338
CVE-2013-4339
CVE-2013-4340
CVE-2013-5738
CVE-2013-5739
http://wordpress.org/news/2013/09/wordpress-3-6-1/
c80b27a2-3165-11e5-8a1d-14dae9d210b8wordpress -- XSS vulnerability

Gary Pendergast reports:

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team.


Discovery 2015-07-23
Entry 2015-07-23
Modified 2015-09-15
wordpress
< 4.2.3,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.2.3

https://wordpress.org/news/2015/07/wordpress-4-2-3/
CVE-2015-5622
CVE-2015-5623
b180d1fb-dac6-11e6-ae1b-002590263bf5wordpress -- multiple vulnerabilities

Aaron D. Campbell reports:

WordPress versions 4.7 and earlier are affected by eight security issues...


Discovery 2017-01-11
Entry 2017-01-15
wordpress
< 4.7.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.7.1

CVE-2017-5487
CVE-2017-5488
CVE-2017-5489
CVE-2017-5490
CVE-2017-5491
CVE-2017-5492
CVE-2017-5493
http://www.openwall.com/lists/oss-security/2017/01/14/6
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
049332d2-f6e1-11e2-82f3-000c29ee3065wordpress -- multiple vulnerabilities

The wordpress development team reports:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site
  • Disallow contributors from improperly publishing posts
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities
  • Prevention of a denial of service attack, affecting sites using password-protected posts
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability
  • Multiple fixes for cross-site scripting
  • Avoid disclosing a full file path when a upload fails

Discovery 2013-06-21
Entry 2013-07-27
Modified 2014-04-30
wordpress
< 3.5.2,1

zh-wordpress-zh_CN
< 3.5.2

zh-wordpress-zh_TW
< 3.5.2

de-wordpress
< 3.5.2

ja-wordpress
< 3.5.2

ru-wordpress
< 3.5.2

CVE-2013-2199
CVE-2013-2200
CVE-2013-2201
CVE-2013-2202
CVE-2013-2203
CVE-2013-2204
CVE-2013-2205
https://wordpress.org/news/2013/06/wordpress-3-5-2/
f4ce64c2-5bd4-11e5-9040-3c970e169bc2wordpress -- multiple vulnerabilities

Samuel Sidler reports:

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

  • WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
  • A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
  • Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.

Discovery 2015-09-15
Entry 2015-09-15
Modified 2015-10-29
wordpress
< 4.3.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.3.1

CVE-2015-5714
CVE-2015-5715
CVE-2015-7989
http://www.openwall.com/lists/oss-security/2015/10/28/1
https://wordpress.org/news/2015/09/wordpress-4-3-1/
82752070-0349-11e7-b48d-00e04c1ea73dwordpress -- multiple vulnerabilities

WordPress versions 4.7.2 and earlier are affected by six security issues.

  • Cross-site scripting (XSS) via media file metadata.
  • Control characters can trick redirect URL validation.
  • Unintended files can be deleted by administrators using the plugin deletion functionality.
  • Cross-site scripting (XSS) via video URL in YouTube embeds.
  • Cross-site scripting (XSS) via taxonomy term names.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.

Discovery 2017-03-07
Entry 2017-03-07
wordpress
< 4.7.3,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.7.3

http://www.openwall.com/lists/oss-security/2017/03/07/3
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
c04dc18f-fcde-11e7-bdf6-00e04c1ea73dwordpress -- multiple issues

wordpress developers reports:

JavaScript errors that prevented saving posts in Firefox have been fixed.

The previous taxonomy-agnostic behavior of get_category_link() and category_description() was restored.

Switching themes will now attempt to restore previous widget assignments, even when there are no sidebars to map.


Discovery 2018-01-16
Entry 2018-01-19
wordpress
fr-wordpress
< 4.9.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.9.2

https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
d86890da-f498-11e4-99aa-bcaec565249cwordpress -- 2 cross-site scripting vulnerabilities

Samuel Sidler reports:

The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.

WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue.

The release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. This issue was reported by Mahadev Subedi.


Discovery 2015-05-07
Entry 2015-05-07
Modified 2015-09-15
wordpress
< 4.2.2,1

de-wordpress
< 4.2.2

ja-wordpress
< 4.2.2

ru-wordpress
< 4.2.2

zh-wordpress-zh_CN
< 4.2.2

zh-wordpress-zh_TW
< 4.2.2

https://wordpress.org/news/2015/05/wordpress-4-2-2/
14ea4458-e5cd-11e6-b56d-38d547003487wordpress -- multiple vulnerabilities

Aaron D. Campbell reports:

WordPress versions 4.7.1 and earlier are affected by three security issues:

  • The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
  • WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
  • A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
  • An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.

Discovery 2017-01-26
Entry 2017-01-29
wordpress
< 4.7.2,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.7.2

CVE-2017-5610
CVE-2017-5611
CVE-2017-5612
http://www.openwall.com/lists/oss-security/2017/01/28/5
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/
ac5ec8e3-3c6c-11e5-b921-00a0986f28c4wordpress -- Multiple vulnerability

Gary Pendergast reports:

WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.


Discovery 2015-08-04
Entry 2015-08-06
Modified 2015-09-15
wordpress
< 4.2.4,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.2.4

https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/
CVE-2015-2213
CVE-2015-5730
CVE-2015-5731
CVE-2015-5732
CVE-2015-5733
CVE-2015-5734
54e50cd9-c1a8-11e6-ae1b-002590263bf5wordpress -- multiple vulnerabilities

Jeremy Felt reports:

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.


Discovery 2016-09-07
Entry 2016-12-14
wordpress
< 4.6.1,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.6.1

https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
810df820-3664-11e1-8fe3-00215c6a37bbWordPress -- cross site scripting vulnerability

WordPress development team reports:

WordPress 3.3.1 is now available. This maintenance release fixes 15 issues with WordPress 3.3, as well as a fix for a cross-site scripting vulnerability that affected version 3.3. Thanks to Joshua H., Hoang T., Stefan Zimmerman, Chris K., and the Go Daddy security team for responsibly disclosing the bug to our security team.


Discovery 2012-01-03
Entry 2012-01-03
wordpress
< 3.3.1,1

de-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 3.3.1

http://threatpost.com/en_us/blogs/xss-bug-found-wordpress-33-010312
559e00b7-6a4d-11e2-b6b0-10bf48230856wordpress -- multiple vulnerabilities

Wordpress reports:

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We'd like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  • Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  • A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

Discovery 2013-01-24
Entry 2013-01-29
Modified 2014-04-30
wordpress
< 3.5.1,1

zh-wordpress-zh_CN
< 3.5.1

zh-wordpress-zh_TW
< 3.5.1

de-wordpress
< 3.5.1

ja-wordpress
< 3.5.1

ru-wordpress
< 3.5.1

CVE-2013-0235
CVE-2013-0236
CVE-2013-0237
a5bb7ea0-3e58-11e7-94a2-00e04c1ea73dWordpress -- multiple vulnerabilities

WordPress versions 4.7.4 and earlier are affected by six security issues

  • Insufficient redirect validation in the HTTP class.
  • Improper handling of post meta data values in the XML-RPC API.
  • Lack of capability checks for post meta data in the XML-RPC API.
  • A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.
  • A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.

Discovery 2017-05-16
Entry 2017-05-21
wordpress
fr-wordpress
< 4.7.5,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.7.5

https://wordpress.org/news/2017/05/wordpress-4-7-5/
bfcc23b6-3b27-11e6-8e82-002590263bf5wordpress -- multiple vulnerabilities

Adam Silverstein reports:

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnönenand Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team; and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.


Discovery 2016-06-18
Entry 2016-06-25
wordpress
< 4.5.3,1

de-wordpress
ja-wordpress
ru-wordpress
zh-wordpress-zh_CN
zh-wordpress-zh_TW
< 4.5.3

CVE-2016-5832
CVE-2016-5833
CVE-2016-5834
CVE-2016-5835
CVE-2016-5836
CVE-2016-5837
CVE-2016-5838
CVE-2016-5839
ports/210480
ports/210581
https://wordpress.org/news/2016/06/wordpress-4-5-3/
http://www.openwall.com/lists/oss-security/2016/06/23/9